[PATCH v4 2/2] hfsplus: validate b-tree node 0 bitmap at mount time

[Shardul Bankar]

Syzkaller reported an issue with corrupted HFS+ images where the b-tree
allocation bitmap indicates that the header node (Node 0) is free. Node 0
must always be allocated as it contains the b-tree header record and the
allocation bitmap itself. Violating this invariant leads to allocator
corruption, which can cascade into kernel panics or undefined behavior
when the filesystem attempts to allocate blocks.

Prevent trusting a corrupted allocator state by adding a validation check
during hfs_btree_open(). Using the newly introduced map-access helper,
verify that the MSB of the first bitmap byte (representing Node 0) is
marked as allocated. Additionally, catch any errors if the map record
itself is structurally invalid.

If corruption is detected, print a warning identifying the specific
corrupted tree (Extents, Catalog, or Attributes) and force the
filesystem to mount read-only (SB_RDONLY). This prevents kernel panics
from corrupted images while enabling data recovery by allowing the mount
to proceed in a safe, read-only mode rather than failing completely.

Reported-by: syzbot+1c8ff72d0cd8a50dfeaa@xxxxxxxxxxxxxxxxxxxxxxxxx
Link: https://syzkaller.appspot.com/bug?extid=1c8ff72d0cd8a50dfeaa
Link: https://lore.kernel.org/all/54dc9336b514fb10547e27c7d6e1b8b967ee2eda.camel@xxxxxxx/
Signed-off-by: Shardul Bankar <shardul.b@xxxxxxxxxxxxxxxxxx>
---
 fs/hfsplus/btree.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
index 22efd6517ef4..e34716cd661b 100644
--- a/fs/hfsplus/btree.c
+++ b/fs/hfsplus/btree.c
@@ -176,9 +176,14 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id)
 	struct hfs_btree *tree;
 	struct hfs_btree_header_rec *head;
 	struct address_space *mapping;
+	struct hfs_bnode *node;
+	const char *tree_name;
+	unsigned int page_idx;
 	struct inode *inode;
 	struct page *page;
 	unsigned int size;
+	u16 bitmap_off, len;
+	u8 *map_page;
 
 	tree = kzalloc_obj(*tree);
 	if (!tree)
@@ -283,6 +288,46 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id)
 
 	kunmap_local(head);
 	put_page(page);
+
+	node = hfs_bnode_find(tree, HFSPLUS_TREE_HEAD);
+	if (IS_ERR(node))
+		goto free_inode;
+
+	switch (id) {
+	case HFSPLUS_EXT_CNID:
+		tree_name = "Extents";
+		break;
+	case HFSPLUS_CAT_CNID:
+		tree_name = "Catalog";
+		break;
+	case HFSPLUS_ATTR_CNID:
+		tree_name = "Attributes";
+		break;
+	default:
+		tree_name = "Unknown";
+		break;
+	}
+
+	map_page = hfs_bmap_get_map_page(node, &bitmap_off, &len, &page_idx);
+
+	if (IS_ERR(map_page)) {
+		pr_warn("(%s): %s Btree (cnid 0x%x) map record invalid/corrupted, forcing read-only.\n",
+				sb->s_id, tree_name, id);
+		pr_warn("Run fsck.hfsplus to repair.\n");
+		sb->s_flags |= SB_RDONLY;
+		hfs_bnode_put(node);
+		return tree;
+	}
+
+	if (!(map_page[bitmap_off] & HFSPLUS_BTREE_NODE0_BIT)) {
+		pr_warn("(%s): %s Btree (cnid 0x%x) bitmap corruption detected, forcing read-only.\n",
+				sb->s_id, tree_name, id);
+		pr_warn("Run fsck.hfsplus to repair.\n");
+		sb->s_flags |= SB_RDONLY;
+	}
+	kunmap_local(map_page);
+	hfs_bnode_put(node);
+
 	return tree;
 
  fail_page:
-- 
2.34.1